Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: b06-1972.htm Loginphp multiple vulnerabilties Loginphp multiple vulnerabilties Loginphp multiple vulnerabilties Loginphp multiple vulnerabilties=0D
Discovered by: Nomenumbra=0D
Date: 5/2/2006=0D
impact:moderate (privilege escalation,possible defacement)=0D
=0D's loginphp script is a small usermanagement script:=0D
Users can sign up for a username which they can use to login to the password protected main page.=0D
The administrator can delete users. He can also edit the main page.=0D
This script includes the members and help pages.=0D
It is possible to send spoofed mails in MIME-format trough help.php due to improper filtering:=0D
The php mail function is used like:=0D
By following the rules provided in RFC 822 we can inject a message in MIME-format like this:=0D
to get this message:=0D
Subject: Visit !=0D 
 Content-Type:multipart/mixed; boundary=frog;=0D
 My Message.=0D
A friend thought you might want to see this page : 
 Bye Bye=0D
for more information: 
In the register function you can subscribe with the following username (for example):=0D
 the input isn't sanitized so you can insert any XSS (30 char max) and anyone who will visit the page displaying=0D
all users will get XSS'd (potentially cookies stolen).=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH